WP Webhooks/ API Reference
Developer

REST API Reference

v1.15.0 · 74 endpoints · 15 resource groups

REST API for the free Webhook Actions WordPress plugin — Pro features require a Pro license.

/ Authentication

Base URL

https://your-site.com/wp-json/fswa/v1

Pass an API token via any of these three methods:

X-FSWA-Token header

X-FSWA-Token: <your-token>

Recommended. Keeps the token out of server logs and URLs.

Authorization: Bearer

Authorization: Bearer <your-token>

Standard Bearer token format, compatible with most HTTP clients.

Query parameter

?api_token=<your-token>

Convenient for quick browser testing or webhook callbacks.

Token Scopes

read

GET endpoints — list, get, stats, health, triggers, schemas.

operational

Read + toggle webhooks, retry/replay logs, execute queue jobs.

full

Operational + create, update, delete. Reveals stored auth secrets. Token management requires WordPress admin session.

agent

Same write access as full, but can never reveal a webhook's auth_header or any Credentials Vault secret. Intended for AI assistants.

Webhooks

8 endpoints

Create and manage webhook endpoints.

List webhooks

Returns all webhooks. Requires `read` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
only_enabledqueryboolean default: false

Responses

200 Array of webhooks.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/webhooks" \
  -H "X-FSWA-Token: your-token"

Create a webhook

Creates a new webhook. Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

name string required
endpoint_url string required
auth_header string
http_method string GET | POST | PUT | PATCH | DELETE

HTTP method used for delivery. GET and DELETE send no body — configure `url_params` to pass payload data as query parameters.

custom_headers array

Extra request headers. Values support dot-notation paths into the outgoing payload or literal strings.

items:
key string
value string

Dot-path (e.g. `event.id`) or static string.

url_params array

Query parameters appended to the URL. Required for GET/DELETE to carry payload data.

items:
key string
value string

Dot-path (e.g. `order.id`) or static string.

is_enabled boolean
is_synchronous boolean

When true, the webhook fires inline during the WordPress request that triggered it, bypassing the queue for the first attempt. Retryable failures fall back to the async queue starting at attempt 1.

triggers array
auth_credential_id integer

ID of a Credentials Vault entry to use for authorization. Takes precedence over `auth_header`. Set null to clear.

Responses

200 Created webhook.
{
  "id": 1,
  "webhook_uuid": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Order to n8n",
  "endpoint_url": "https://n8n.example.com/webhook/abc123",
  "auth_header": "Bearer secret123",
  "http_method": "GET"
}
400 Validation error.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/webhooks" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Order to n8n",
  "endpoint_url": "https://n8n.example.com/webhook/abc123",
  "auth_header": "Bearer secret123",
  "http_method": "GET",
  "custom_headers": ""
}'

Get a webhook

Requires `read` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Webhook.
{
  "id": 1,
  "webhook_uuid": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Order to n8n",
  "endpoint_url": "https://n8n.example.com/webhook/abc123",
  "auth_header": "Bearer secret123",
  "http_method": "GET"
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/webhooks/id" \
  -H "X-FSWA-Token: your-token"

Update a webhook

Updates a webhook. All fields are optional. Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · optional

name string required
endpoint_url string required
auth_header string
http_method string GET | POST | PUT | PATCH | DELETE

HTTP method used for delivery. GET and DELETE send no body — configure `url_params` to pass payload data as query parameters.

custom_headers array

Extra request headers. Values support dot-notation paths into the outgoing payload or literal strings.

items:
key string
value string

Dot-path (e.g. `event.id`) or static string.

url_params array

Query parameters appended to the URL. Required for GET/DELETE to carry payload data.

items:
key string
value string

Dot-path (e.g. `order.id`) or static string.

is_enabled boolean
is_synchronous boolean

When true, the webhook fires inline during the WordPress request that triggered it, bypassing the queue for the first attempt. Retryable failures fall back to the async queue starting at attempt 1.

triggers array
auth_credential_id integer

ID of a Credentials Vault entry to use for authorization. Takes precedence over `auth_header`. Set null to clear.

Responses

200 Updated webhook.
{
  "id": 1,
  "webhook_uuid": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Order to n8n",
  "endpoint_url": "https://n8n.example.com/webhook/abc123",
  "auth_header": "Bearer secret123",
  "http_method": "GET"
}
400 Validation error.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X PATCH "https://your-site.com/wp-json/fswa/v1/webhooks/id" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Order to n8n",
  "endpoint_url": "https://n8n.example.com/webhook/abc123",
  "auth_header": "Bearer secret123",
  "http_method": "GET",
  "custom_headers": ""
}'

Delete a webhook

Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Deleted.
{
  "deleted": true,
  "id": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/webhooks/id" \
  -H "X-FSWA-Token: your-token"

Toggle webhook on/off

Flips the `is_enabled` flag. Requires `operational` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Updated webhook.
{
  "id": 1,
  "webhook_uuid": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Order to n8n",
  "endpoint_url": "https://n8n.example.com/webhook/abc123",
  "auth_header": "Bearer secret123",
  "http_method": "GET"
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/webhooks/id/toggle" \
  -H "X-FSWA-Token: your-token"

List logs for a specific webhook

Returns paginated delivery logs scoped to a single webhook. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
pagequeryinteger default: 1
per_pagequeryinteger default: 20

Responses

200 Array of log entries.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/webhooks/webhook_id/logs" \
  -H "X-FSWA-Token: your-token"

Send a test delivery

Fires a test delivery for a webhook. The webhook must have at least one trigger configured. Requires `full` scope or admin session. **Payload sources:** - `captured` — the raw captured example payload for the trigger (no mapping applied) - `mapped` — captured payload with field mapping applied - `pre_glue` — mapped payload with the pre-dispatch Code Glue snippet applied (Pro) - `full_glue` — same as `pre_glue`; post-dispatch snippet also runs after delivery (Pro) - `custom` — supply an arbitrary payload via the `payload` field **Modes:** - `now` — runs synchronously, returns the full log entry immediately - `queue` — enqueues the job and returns the job ID

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

trigger string

Trigger name to test. Defaults to the first configured trigger if omitted.

payload_source string captured | mapped | pre_glue | full_glue | custom

Where to source the test payload from.

payload object

Custom payload. Required when `payload_source` is `custom`.

object

Custom payload. Required when `payload_source` is `custom`.

mode string now | queue

`now` returns the result immediately; `queue` enqueues for async processing.

Responses

200 Test result.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
422 Webhook has no triggers configured, or no captured payload found for the trigger.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/webhooks/id/test" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "trigger": "woocommerce_order_status_completed",
  "payload_source": "captured",
  "payload": "",
  "mode": "now"
}'

Logs

8 endpoints

View delivery logs, retry failures, and replay events.

List delivery logs

Returns paginated webhook delivery logs. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
pagequeryinteger default: 1
per_pagequeryinteger default: 20
statusquerystring success | error | retry | pending | permanently_failed | test | skipped
webhook_idqueryinteger
trigger_namequerystring
webhook_uuidquerystringFilter by webhook UUID / `X-Webhook-Id` value (partial match).
event_uuidquerystringFilter by event UUID (exact match).
target_urlquerystringFilter by target URL (partial match).
date_fromquerystringFilter from this UTC datetime (format: `YYYY-MM-DD HH:MM:SS`).
date_toquerystringFilter until this UTC datetime (format: `YYYY-MM-DD HH:MM:SS`).
chain_idqueryintegerFilter to entries triggered by any link in this chain (resolves to the chain's synthetic fswa_chain_link:N trigger names).

Responses

200 Array of log entries.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/logs" \
  -H "X-FSWA-Token: your-token"

Bulk delete logs

Deletes all log entries older than the specified number of days. Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
older_than_daysqueryintegeryes

Responses

200 Number of deleted records.
{
  "deleted": 0,
  "older_than": null
}
400 Missing older_than_days parameter.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/logs" \
  -H "X-FSWA-Token: your-token"

Delivery statistics

Returns delivery statistics for the specified period. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
daysqueryinteger default: 7
webhook_idqueryinteger

Responses

200 Delivery stats.
{
  "total": 0,
  "success": 0,
  "error": 0,
  "retry": 0,
  "pending": 0,
  "permanently_failed": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/logs/stats" \
  -H "X-FSWA-Token: your-token"

Bulk retry failed logs

Resets the associated queue jobs for multiple failed log entries so they will be retried. Requires `operational` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

ids array required

Array of log IDs to retry.

Responses

200 Retry result.
{
  "retried": 0,
  "skipped": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/logs/bulk-retry" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "ids": ""
}'

Get a log entry

Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Log entry.
{
  "id": 0,
  "webhook_id": 0,
  "webhook_uuid": null,
  "trigger_name": "woocommerce_order_status_completed",
  "event_uuid": "550e8400-e29b-41d4-a716-446655440000",
  "event_timestamp": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/logs/id" \
  -H "X-FSWA-Token: your-token"

Delete a log entry

Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Deleted.
{
  "deleted": true,
  "id": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/logs/id" \
  -H "X-FSWA-Token: your-token"

Retry a failed log

Resets the queue job linked to a failed log entry so it will be retried on the next cron run. Only `error` or `permanently_failed` logs can be retried. Requires `operational` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Retry queued.
{
  "success": false,
  "job_id": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 Conflict — e.g., job is already processing or not in a retryable state.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/logs/id/retry" \
  -H "X-FSWA-Token: your-token"

Replay a successful log

Creates a new queue job using the original payload from a successful log entry. The replay reuses the existing log entry (new attempt added to the attempt history). Only `success` logs can be replayed. Requires `operational` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Replay queued.
{
  "success": false,
  "job_id": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 Conflict — e.g., job is already processing or not in a retryable state.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/logs/id/replay" \
  -H "X-FSWA-Token: your-token"

Queue

5 endpoints

Inspect and control the delivery queue.

List queue jobs

Returns paginated queue jobs. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
pagequeryinteger default: 1
per_pagequeryinteger default: 20
statusquerystring pending | processing | completed | failed | permanently_failed
webhook_idqueryinteger
webhook_uuidquerystringFilter by webhook UUID / `X-Webhook-Id` value (partial match).
event_uuidquerystringFilter by event UUID (exact match).
target_urlquerystringFilter by target URL (partial match).
date_fromquerystringFilter from this UTC datetime (format: `YYYY-MM-DD HH:MM:SS`).
date_toquerystringFilter until this UTC datetime (format: `YYYY-MM-DD HH:MM:SS`).
chain_idqueryintegerFilter to entries triggered by any link in this chain (resolves to the chain's synthetic fswa_chain_link:N trigger names).

Responses

200 Paginated list of queue jobs.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/queue" \
  -H "X-FSWA-Token: your-token"

Queue statistics

Returns current queue counts by status. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Queue stats.
{
  "total": 0,
  "pending": 0,
  "processing": 0,
  "completed": 0,
  "permanently_failed": 0,
  "due_now": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/queue/stats" \
  -H "X-FSWA-Token: your-token"

Execute a queue job immediately

Locks and executes a specific pending job immediately, bypassing the scheduled cron run. Requires `operational` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

id integer required

Queue job ID.

Responses

200 Execution result.
{
  "success": false,
  "rescheduled": false,
  "permanently_failed": false,
  "message": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 Conflict — e.g., job is already processing or not in a retryable state.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/queue/execute" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "id": 0
}'

Reset and retry a failed queue job

Resets a `permanently_failed` or `pending` job to be retried. Requires `operational` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

id integer required

Responses

200 Job queued for retry.
{
  "success": true,
  "message": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 Conflict — e.g., job is already processing or not in a retryable state.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/queue/retry" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "id": 0
}'

Delete a queue job

Permanently removes a queue job. Cannot delete a job that is currently processing. Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

id integer required

Responses

200 Job deleted.
{
  "success": true,
  "message": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 Conflict — e.g., job is already processing or not in a retryable state.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/queue/delete" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "id": 0
}'

Health

1 endpoint

System health and delivery statistics.

System health and statistics

Returns aggregate delivery stats, queue health, velocity metrics, and observability indicators. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Health stats.
{
  "success_rate": 98.5,
  "has_data": false,
  "webhooks": null,
  "logs": null,
  "queue": null,
  "velocity": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/health" \
  -H "X-FSWA-Token: your-token"

Triggers

1 endpoint

Browse available WordPress action triggers.

List available triggers

Returns suggested triggers plus all currently registered WordPress hooks (excluding internal/UI hooks). Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Trigger list.
{
  "triggers": [],
  "grouped": null,
  "categories": null,
  "allowCustom": false
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/triggers" \
  -H "X-FSWA-Token: your-token"

Schemas

6 endpoints

Configure payload mapping for webhook/trigger pairs.

List payload schemas for a webhook

Returns all stored payload schemas (one per trigger) for the given webhook. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Array of schemas.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/schemas/webhook/id" \
  -H "X-FSWA-Token: your-token"

Get payload schema

Returns the payload schema for a specific webhook/trigger pair. Returns an empty schema structure if none has been configured. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Schema.
{
  "id": 0,
  "webhook_id": 0,
  "trigger_name": null,
  "example_payload": null,
  "field_mapping": null,
  "conditions": {
    "enabled": true,
    "type": "and",
    "rules": [
      {
        "field": "args.0.form_id",
        "operator": "equals",
        "value": "1",
        "cast": "number"
      },
      {
        "type": "group",
        "match": "or",
        "rules": [
          {
            "field": "args.0.4",
            "operator": "equals",
            "value": "sales"
          },
          {
            "field": "args.0.4",
            "operator": "equals",
            "value": "support"
          }
        ]
      }
    ]
  }
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/schemas/webhook/id/trigger/trigger" \
  -H "X-FSWA-Token: your-token"

Update payload schema

Creates or updates the payload schema for a webhook/trigger pair. Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · optional

field_mapping object

Field mapping configuration. Use `mappings` to extract and rename individual fields from the raw hook payload using dot-notation paths. Use `excluded` to drop top-level keys from the output. Set `includeUnmapped` to `true` to pass through any fields not covered by `mappings` or `excluded`.

mappings array
items:
source string required

Dot-notation path into the raw payload (e.g. `args.0.1`, `args.0.ip`).

target string required

Dot-notation path for the key in the outgoing payload (e.g. `name`, `user_ip`, `data.tel`).

cast string number | string | boolean | stringify

Optional type cast applied to the extracted value before mapping. Use `stringify` to JSON-encode arrays or objects into a string.

excluded array

Top-level keys to drop from the output after mapping (e.g. `["args"]`).

includeUnmapped boolean

Pass through top-level fields not covered by mappings or excluded.

include_user_data boolean

Whether to auto-include WordPress user data for user-related triggers.

conditions object

Conditional delivery rules. Pass `null` to remove. Free tier supports at most 1 simple rule; condition groups require Pro.

enabled boolean
type string and | or

Match type. Free tier is locked to `and`.

rules array

Responses

200 Updated schema.
{
  "id": 0,
  "webhook_id": 0,
  "trigger_name": null,
  "example_payload": null,
  "field_mapping": null,
  "conditions": {
    "enabled": true,
    "type": "and",
    "rules": [
      {
        "field": "args.0.form_id",
        "operator": "equals",
        "value": "1",
        "cast": "number"
      },
      {
        "type": "group",
        "match": "or",
        "rules": [
          {
            "field": "args.0.4",
            "operator": "equals",
            "value": "sales"
          },
          {
            "field": "args.0.4",
            "operator": "equals",
            "value": "support"
          }
        ]
      }
    ]
  }
}
400 No updatable fields provided.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X PUT "https://your-site.com/wp-json/fswa/v1/schemas/webhook/id/trigger/trigger" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "field_mapping": {
    "mappings": [
      {
        "source": "args.0.1",
        "target": "name"
      },
      {
        "source": "args.0.2",
        "target": "email"
      },
      {
        "source": "args.0.3",
        "target": "tel"
      },
      {
        "source": "args.0.4",
        "target": "type"
      },
      {
        "source": "args.0.5",
        "target": "message"
      },
      {
        "source": "args.0.ip",
        "target": "user_ip"
      }
    ],
    "excluded": [
      "args"
    ],
    "includeUnmapped": true
  },
  "include_user_data": false,
  "conditions": {
    "enabled": true,
    "type": "and",
    "rules": [
      {
        "field": "order.status",
        "operator": "equals",
        "value": "completed"
      },
      {
        "field": "order.total",
        "operator": "greater_than",
        "value": "100",
        "cast": "number"
      }
    ]
  }
}'

Delete payload schema

Removes the payload schema for a webhook/trigger pair. Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Deleted.
{
  "deleted": false
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/schemas/webhook/id/trigger/trigger" \
  -H "X-FSWA-Token: your-token"

Reset payload capture

Clears the stored example payload so the next webhook delivery will be captured as the new example. Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Capture reset.
{
  "reset": false,
  "schema": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/schemas/webhook/id/trigger/trigger/capture" \
  -H "X-FSWA-Token: your-token"

List triggers that support user data enrichment

Returns the list of trigger hook names that support automatic user data enrichment (when `include_user_data` is enabled). Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 User-enrichable triggers.
{
  "triggers": [
    "user_register",
    "profile_update",
    "wp_login",
    "wp_logout"
  ]
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/schemas/user-triggers" \
  -H "X-FSWA-Token: your-token"

API Tokens

5 endpoints

Manage API tokens. Requires WordPress admin login — tokens cannot manage themselves on their own.

List API tokens

Returns all API tokens (never exposes the token secret). **Requires WordPress admin login.** API tokens cannot access this endpoint.

Auth Required

WordPress admin session

Responses

200 Array of tokens.
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/tokens" \
  -H "X-FSWA-Token: your-token"

Create an API token

Creates a new API token. The plaintext token is returned **once** in the response and cannot be retrieved later. **Requires WordPress admin login.**

Auth Required

WordPress admin session

Request Body · required

name string required
scope string required read | operational | full | agent
expires_at string

Optional UTC expiry. Omit for no expiry.

Responses

200 Created token with plaintext secret.
400 Validation error.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/tokens" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "n8n integration",
  "scope": "read",
  "expires_at": "2027-01-01 00:00:00"
}'

Rotate an API token

Issues a new token secret while preserving the token's name, scope, and other settings. The old secret is immediately invalidated. The new plaintext token is returned **once**. Optionally update `expires_at` in the same request. **Requires WordPress admin login.**

Auth Required

WordPress admin session

Request Body · optional

expires_at string

If present, updates the expiry. Pass `null` to remove expiry. Omit to keep the current expiry.

Responses

200 Rotated token with new plaintext secret.
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/tokens/id/rotate" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "expires_at": "2027-06-01 00:00:00"
}'

Update token expiry

Updates `expires_at` without rotating the token secret. Pass `null` to remove the expiry. **Requires WordPress admin login.**

Auth Required

WordPress admin session

Request Body · required

expires_at string

Responses

200 Updated token.
{
  "id": 0,
  "name": "n8n integration",
  "scope": "read",
  "token_hint": "ab12",
  "expires_at": null,
  "last_used_at": null
}
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X PATCH "https://your-site.com/wp-json/fswa/v1/tokens/id" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "expires_at": "2027-01-01 00:00:00"
}'

Delete an API token

Permanently deletes an API token. **Requires WordPress admin login.**

Auth Required

WordPress admin session

Responses

200 Deleted.
{
  "deleted": true,
  "id": 0
}
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/tokens/id" \
  -H "X-FSWA-Token: your-token"

Credentials Vault

7 endpoints

Encrypted, reusable authentication secrets referenced by webhooks. Secrets are write-only — never returned by the API.

List credentials

Lists vault credentials (metadata + masked hint only). Requires `full`/`agent` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Array of credentials.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/credentials" \
  -H "X-FSWA-Token: your-token"

Create a credential

Creates an encrypted credential. The secret is write-only — the response returns metadata only. Requires `full`/`agent` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

name string required
type string required bearer | basic | api_key | custom
header_name string

Required for `api_key`/`custom` (defaults to `Authorization`).

secret string

Token/key for bearer, api_key, or custom types.

username string

Username for `basic` type (e.g. WordPress username for an Application Password).

password string

Password/application-password for `basic` type.

Responses

200 Created credential (no secret).
{
  "id": 3,
  "name": "HubSpot PAT",
  "type": "bearer",
  "header_name": "X-API-Key",
  "hint": "Bearer ****1234",
  "created_at": null
}
400 Validation error.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 A credential with this name already exists.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/credentials" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "HubSpot PAT",
  "type": "bearer",
  "header_name": "X-API-Key",
  "secret": "sk_live_xxx",
  "username": ""
}'

Get a credential

Returns credential metadata (no secret).

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Credential.
{
  "id": 3,
  "name": "HubSpot PAT",
  "type": "bearer",
  "header_name": "X-API-Key",
  "hint": "Bearer ****1234",
  "created_at": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/credentials/id" \
  -H "X-FSWA-Token: your-token"

Update a credential

Updates a credential. Omit secret fields to keep the current value; supplying them re-encrypts. Requires `full`/`agent` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

name string required
type string required bearer | basic | api_key | custom
header_name string

Required for `api_key`/`custom` (defaults to `Authorization`).

secret string

Token/key for bearer, api_key, or custom types.

username string

Username for `basic` type (e.g. WordPress username for an Application Password).

password string

Password/application-password for `basic` type.

Responses

200 Updated credential.
{
  "id": 3,
  "name": "HubSpot PAT",
  "type": "bearer",
  "header_name": "X-API-Key",
  "hint": "Bearer ****1234",
  "created_at": null
}
400 Validation error.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 Name already exists.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X PUT "https://your-site.com/wp-json/fswa/v1/credentials/id" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "HubSpot PAT",
  "type": "bearer",
  "header_name": "X-API-Key",
  "secret": "sk_live_xxx",
  "username": ""
}'

Delete a credential

Deletes a credential. Blocked with 409 if any webhook references it, unless `force=true` is passed (which detaches it from those webhooks first).

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
forcequerybooleanDetach from referencing webhooks and delete anyway. default: false

Responses

200 Deleted.
{
  "deleted": false,
  "id": 0,
  "detached": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
409 In use by one or more webhooks (pass force=true to override).
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/credentials/id" \
  -H "X-FSWA-Token: your-token"

Vault encryption-key status

Reports whether the encryption key lives in the database or the `FSWA_SECRET_KEY` constant, and whether a re-encryption migration is needed.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Key status.
{
  "key_source": "database",
  "using_constant": false,
  "db_key_present": false,
  "fully_protected": false,
  "needs_migration": false,
  "total": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/credentials/key-status" \
  -H "X-FSWA-Token: your-token"

Re-encrypt all credentials

Re-wraps every credential with the current primary key. When `FSWA_SECRET_KEY` is in use and all succeed, the database key is deleted so only the wp-config key can decrypt. Requires `full`/`agent` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Migration result.
{
  "migrated": 0,
  "failed": 0,
  "failed_ids": [],
  "db_key_removed": false
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/credentials/reencrypt" \
  -H "X-FSWA-Token: your-token"

Dispatcher

4 endpoints

Manually process the queue and manage cron configuration. Requires WordPress admin login.

Manually process the queue

Triggers a batch queue processing run immediately. **Requires WordPress admin login.** For automated cron use, use `GET /cron/process` instead.

Auth Required

WordPress admin session

Request Body · optional

batch_size integer

Responses

200 Processing result.
{
  "success": false,
  "message": null,
  "result": null
}
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/dispatcher/process" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "batch_size": 0
}'

Cron queue processing endpoint

Processes a batch of due queue jobs. Authenticated via the `token` query parameter (a server-generated secret, not an API token). Designed for use with system cron: ``` */1 * * * * curl -fsS 'https://your-site.com/wp-json/fswa/v1/cron/process?token=SECRET' >/dev/null 2>&1 ``` The cron URL and command are available from `GET /cron/info`.

Parameters

NameInTypeReqDescription
tokenquerystringyesCron secret token from the plugin settings.
batch_sizequeryinteger default: 10

Responses

200 Processing result.
{
  "ok": false,
  "processed": 0,
  "succeeded": 0,
  "failed": 0
}
403 Invalid cron token.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
500 Cron secret not configured.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/cron/process" \
  -H "X-FSWA-Token: your-token"

Get cron configuration

Returns the cron secret token, the ready-to-use cron URL, and a crontab command for system cron setup. **Requires WordPress admin login.**

Auth Required

WordPress admin session

Responses

200 Cron info.
{
  "token": null,
  "cron_url": null,
  "cron_command": "*/1 * * * * curl -fsS 'https://your-site.com/wp-json/fswa/v1/cron/process?token=...' >/dev/null 2>&1",
  "last_run": null,
  "last_run_human": "5 minutes ago",
  "wp_cron_disabled": false
}
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/cron/info" \
  -H "X-FSWA-Token: your-token"

Regenerate cron secret

Generates a new cron secret, invalidating the previous one. **Requires WordPress admin login.**

Auth Required

WordPress admin session

Responses

200 New cron token.
{
  "success": false,
  "token": null,
  "cron_url": null
}
401 Not logged in as admin.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/cron/regenerate-token" \
  -H "X-FSWA-Token: your-token"

Code Glue

Pro 8 endpoints

PHP snippet enrichment for webhook payloads — requires the Pro plugin. Snippets run before dispatch (pre) to modify the payload, or after a successful delivery (post) for side-effects. Requires WordPress admin session or a `full`-scope API token.

List snippets

Returns all Code Glue snippets, optionally filtered by search term or tags. Requires `read` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
searchquerystringFilter by name or code content (case-insensitive substring match).
tags[]queryarrayFilter to snippets that have at least one of the given tags.

Responses

200 Array of snippets.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/pro/snippets" \
  -H "X-FSWA-Token: your-token"

Create a snippet

Creates a new Code Glue snippet. Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

name string required
tags array
code string required

PHP snippet body. No `<?php` tag. Pre-dispatch snippets must return an array.

Responses

200 Created snippet.
{
  "id": 0,
  "name": "Enrich order payload",
  "tags": [
    "woocommerce",
    "orders"
  ],
  "code": "$payload[\"vat_number\"] = get_user_meta({{ $args.0.ID }}, 'vat_number', true);\nreturn $payload;",
  "created_at": null,
  "updated_at": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/pro/snippets" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Enrich order payload",
  "tags": "",
  "code": ""
}'

Preview snippet execution

Executes a code snippet against a given payload and returns the result without saving anything. Safe to call repeatedly during development. Requires `full` scope or admin session. **Pre mode** (`mode=pre`): snippet receives `$payload` and `$args` (`$payload['args'] ?? []`). Must `return $array;` — non-array return leaves payload unchanged. **Post mode** (`mode=post`): snippet receives `$payload`, `$originalPayload`, `$responseCode`, and `$responseBody` from `postContext`. Return value is ignored.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

code string required

PHP snippet body to execute.

payload object required

The payload to run the snippet against.

object

The payload to run the snippet against.

mode string pre | post

Execution mode.

postContext object

Required for `mode=post`. Provides the post-dispatch variables.

originalPayload object

Pre-mapping payload. Null if no field mapping was applied.

object

Pre-mapping payload. Null if no field mapping was applied.

responseCode integer

HTTP status code from the delivery.

responseBody string

Raw response body from the endpoint.

Responses

200 Execution result.
{
  "result": null,
  "error": null,
  "output": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/pro/snippets/preview" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "code": "",
  "payload": "",
  "mode": "pre",
  "postContext": ""
}'

Get a snippet

Requires `read` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Snippet.
{
  "id": 0,
  "name": "Enrich order payload",
  "tags": [
    "woocommerce",
    "orders"
  ],
  "code": "$payload[\"vat_number\"] = get_user_meta({{ $args.0.ID }}, 'vat_number', true);\nreturn $payload;",
  "created_at": null,
  "updated_at": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/pro/snippets/id" \
  -H "X-FSWA-Token: your-token"

Update a snippet

Partially updates a snippet. Only provided fields are changed — omitting `name` or `tags` leaves them intact. Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · optional

name string
tags array
code string

Responses

200 Updated snippet.
{
  "id": 0,
  "name": "Enrich order payload",
  "tags": [
    "woocommerce",
    "orders"
  ],
  "code": "$payload[\"vat_number\"] = get_user_meta({{ $args.0.ID }}, 'vat_number', true);\nreturn $payload;",
  "created_at": null,
  "updated_at": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/pro/snippets/id" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "",
  "tags": "",
  "code": ""
}'

Delete a snippet

Deletes a snippet. Existing trigger-snippet assignments that reference this snippet will retain the ID but the snippet field will return null. Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Deleted.
{
  "deleted": false
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/pro/snippets/id" \
  -H "X-FSWA-Token: your-token"

Get trigger-snippet assignment

Returns the pre/post snippet assignment for a webhook+trigger pair. Returns a default empty structure (no error) if no assignment has been saved yet. Requires `read` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Trigger-snippet assignment.
{
  "id": 0,
  "webhook_id": 0,
  "trigger_name": "woocommerce_order_status_completed",
  "pre_snippet_id": 0,
  "pre_enabled": false,
  "pre_snippet": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/pro/trigger-snippets/webhook_id/trigger/trigger" \
  -H "X-FSWA-Token: your-token"

Save trigger-snippet assignment

Creates or updates the pre/post snippet assignment for a webhook+trigger pair. Only provided fields are updated (upsert). Requires `full` scope or admin session.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Request Body · required

pre_snippet_id integer

ID of the snippet to run before dispatch. Pass `null` to clear.

pre_enabled boolean

Whether the pre-dispatch snippet is active.

post_snippet_id integer

ID of the snippet to run after a successful delivery. Pass `null` to clear.

post_enabled boolean

Whether the post-dispatch snippet is active.

Responses

200 Saved assignment.
{
  "id": 0,
  "webhook_id": 0,
  "trigger_name": "woocommerce_order_status_completed",
  "pre_snippet_id": 0,
  "pre_enabled": false,
  "pre_snippet": null
}
400 No fields provided.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/pro/trigger-snippets/webhook_id/trigger/trigger" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "pre_snippet_id": 0,
  "pre_enabled": false,
  "post_snippet_id": 0,
  "post_enabled": false
}'

Chains

8 endpoints

Compose webhook automations: link the success of one webhook to the dispatch of others.

List chains

Return all chains with their links and member webhook IDs.

Auth Required

ApiTokenAuth

Responses

200 Array of chains.

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/chains" \
  -H "X-FSWA-Token: your-token"

Create a chain

Create a new (empty) chain. Add source->target edges via /chains/{id}/links.

Auth Required

ApiTokenAuth

Request Body · required

name string required
description string

Responses

200 Created chain.
{
  "id": 0,
  "name": null,
  "description": null,
  "created_at": null,
  "updated_at": null,
  "member_webhook_ids": []
}
409 A chain with that name already exists.

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/chains" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "",
  "description": ""
}'

Get a chain

Auth Required

ApiTokenAuth

Responses

200 Chain with its links.
{
  "id": 0,
  "name": null,
  "description": null,
  "created_at": null,
  "updated_at": null,
  "member_webhook_ids": []
}
404 Chain not found.

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/chains/id" \
  -H "X-FSWA-Token: your-token"

Rename or re-describe a chain

Auth Required

ApiTokenAuth

Request Body · required

name string
description string

Responses

200 Updated chain.
{
  "id": 0,
  "name": null,
  "description": null,
  "created_at": null,
  "updated_at": null,
  "member_webhook_ids": []
}
409 A chain with that name already exists.

example request

curl -X PATCH "https://your-site.com/wp-json/fswa/v1/chains/id" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "",
  "description": ""
}'

Delete a chain

Removes the chain and all its links. Member webhooks remain but lose their chain-link triggers; webhooks left triggerless render as orphans in the admin.

Auth Required

ApiTokenAuth

Responses

200 Deleted.
{
  "deleted": false,
  "id": 0,
  "links_removed": 0
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/chains/id" \
  -H "X-FSWA-Token: your-token"

List chain links

Auth Required

ApiTokenAuth

Responses

200 Array of chain links.

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/chains/id/links" \
  -H "X-FSWA-Token: your-token"

Add a source->target link

Wire a webhook so it fires when another webhook succeeds. Save-time cycle detection rejects edges that would create a cycle across any chain (HTTP 409 rest_chain_cycle).

Auth Required

ApiTokenAuth

Request Body · required

source_webhook_id integer required
target_webhook_id integer required

Responses

200 Created link.
{
  "id": 0,
  "chain_id": 0,
  "source_webhook_id": 0,
  "target_webhook_id": 0,
  "created_at": null
}
409 Would create a cycle, or link already exists.

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/chains/id/links" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "source_webhook_id": 0,
  "target_webhook_id": 0
}'

Delete a link

Removes the link and its synthetic fswa_chain_link:N trigger row. If this was the chain's last link, the chain itself is auto-deleted (chain_deleted: true).

Auth Required

ApiTokenAuth

Responses

200 Deleted.
{
  "deleted": false,
  "id": 0,
  "chain_deleted": false
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/chains/id/links/linkId" \
  -H "X-FSWA-Token: your-token"

License

Pro 3 endpoints

Manage the Pro license key. Requires WordPress admin session.

Get license status

Auth Required

WordPress admin session

Responses

200 Current license state.
{
  "active": false,
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/license" \
  -H "X-FSWA-Token: your-token"

Activate a license key

Auth Required

WordPress admin session

Request Body · required

license_key string required

Responses

200 License activated.
{
  "active": true,
  "data": null
}
422 Invalid or limit-reached license key.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/license/activate" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "license_key": "XXXXX-XXXXX-XXXXX-XXXXX"
}'

Deactivate the license

Removes the local activation and frees the site slot on the license server.

Auth Required

WordPress admin session

Responses

200 License deactivated.
{
  "active": false
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/license/deactivate" \
  -H "X-FSWA-Token: your-token"

Pro Settings

Pro 2 endpoints

Configure Pro-only delivery settings: global retry limits and backoff strategy. Requires WordPress admin session.

Get Pro delivery settings

Auth Required

WordPress admin session

Responses

200 Current Pro retry and backoff configuration.
{
  "global_max_attempts": 5,
  "backoff_strategy": "exponential",
  "backoff_base_delay": 60,
  "backoff_max_delay": 3600
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/pro/settings" \
  -H "X-FSWA-Token: your-token"

Update Pro delivery settings

All fields are optional. Pass `null` to clear a field back to its default (unlimited/disabled).

Auth Required

WordPress admin session

Request Body · optional

global_max_attempts integer

Override the per-webhook max retry attempts for all webhooks. Null = use per-webhook setting.

backoff_strategy string exponential | linear | fixed

Retry backoff algorithm. Null = use plugin default.

backoff_base_delay integer

Base delay in seconds for the backoff calculation. Null = use plugin default.

backoff_max_delay integer

Maximum delay cap in seconds between retries. Null = use plugin default.

Responses

200 Updated fields (only fields that were passed are returned).
{
  "global_max_attempts": 5,
  "backoff_strategy": "exponential",
  "backoff_base_delay": 60,
  "backoff_max_delay": 3600
}
400 Validation error.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X PUT "https://your-site.com/wp-json/fswa/v1/pro/settings" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "global_max_attempts": 5,
  "backoff_strategy": "exponential",
  "backoff_base_delay": 60,
  "backoff_max_delay": 3600
}'

External Cron

Pro 5 endpoints

Configure Uptime Kuma-based external cron (externalcron.com) to replace unreliable WP-Cron. The monitor pings either the FSWA queue processor or wp-cron.php on a fixed interval. Requires an active Pro license and WordPress admin session.

Get External Cron settings

Auth Required

WordPress admin session

Responses

200 Current External Cron configuration.
{
  "enabled": false,
  "mode": "plugin_endpoint",
  "min_interval": 0,
  "interval": 60,
  "batch_size": 10,
  "monitor_id": 0
}
403 No active Pro license.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/pro/external-cron/settings" \
  -H "X-FSWA-Token: your-token"

Update External Cron settings

All fields are optional. Changing `mode` updates the Kuma monitor URL. Changing `interval` or `batch_size` updates the Kuma monitor configuration.

Auth Required

WordPress admin session

Request Body · optional

enabled boolean
mode string plugin_endpoint | wp_cron
interval integer

Seconds between pings. Min 20 (plugin_endpoint) or 60 (wp_cron), max 3600.

batch_size integer

Jobs processed per ping (1-100). Only relevant in plugin_endpoint mode.

Responses

200 Updated configuration.
{
  "enabled": false,
  "mode": "plugin_endpoint",
  "min_interval": 0,
  "interval": 60,
  "batch_size": 10,
  "monitor_id": 0
}
400 Validation error (invalid mode, out-of-range interval or batch_size).
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 No active Pro license.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X PUT "https://your-site.com/wp-json/fswa/v1/pro/external-cron/settings" \
  -H "X-FSWA-Token: your-token" \
  -H "Content-Type: application/json" \
  -d '{
  "enabled": false,
  "mode": "plugin_endpoint",
  "interval": 0,
  "batch_size": 0
}'

Get External Cron monitor stats

Returns recent heartbeat history and uptime statistics from the Uptime Kuma monitor.

Auth Required

WordPress admin session

Responses

200 Monitor statistics.
{
  "beats": [],
  "uptime_24h": null,
  "avg_ping": null
}
403 No active Pro license.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/pro/external-cron/stats" \
  -H "X-FSWA-Token: your-token"

Pause the External Cron monitor

Auth Required

WordPress admin session

Responses

200 Monitor paused.
{
  "paused": true
}
403 No active Pro license.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/pro/external-cron/pause" \
  -H "X-FSWA-Token: your-token"

Resume the External Cron monitor

Auth Required

WordPress admin session

Responses

200 Monitor resumed.
{
  "active": true
}
403 No active Pro license.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X POST "https://your-site.com/wp-json/fswa/v1/pro/external-cron/resume" \
  -H "X-FSWA-Token: your-token"

Activity History

3 endpoints

Persistent audit log of every admin and API-token action: webhooks, tokens, settings, logs, queue, schemas, chains, cron, and (Pro) snippets. Each entry captures the actor, action type, affected object, structured old/new diffs, and optional AI prompt/reasoning from `X-FSWA-Prompt` / `X-FSWA-Reason` request headers. Requires `read` scope for listing; `full` scope for bulk delete.

List activity log entries

Returns paginated activity log entries, newest first. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
pagequeryinteger default: 1
per_pagequeryinteger default: 20
actionquerystringFilter by exact action string (e.g. `webhook.updated`).
action_prefixquerystringFilter by action prefix (e.g. `webhook` matches all webhook actions).
user_idqueryinteger
object_typequerystring
object_idqueryinteger
date_fromquerystringFilter from this UTC datetime (format: `YYYY-MM-DD HH:MM:SS`).
date_toquerystringFilter until this UTC datetime (format: `YYYY-MM-DD HH:MM:SS`).

Responses

200 Array of activity log entries.
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/activity" \
  -H "X-FSWA-Token: your-token"

Bulk delete activity log entries

Deletes activity log entries older than the specified number of days. Omitting `older_than_days` deletes all entries. Requires `full` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Parameters

NameInTypeReqDescription
older_than_daysqueryintegerDelete entries older than this many days. Omit to delete all entries.

Responses

200 Number of deleted records.
{
  "deleted": 0
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X DELETE "https://your-site.com/wp-json/fswa/v1/activity" \
  -H "X-FSWA-Token: your-token"

Get an activity log entry

Returns a single activity log entry by ID. Requires `read` scope.

Auth Required

X-FSWA-Token headerAuthorization: Bearer?api_token=

Responses

200 Activity log entry.
{
  "id": 0,
  "user_id": 0,
  "token_id": 0,
  "token_hint": "ab12",
  "action": "webhook.updated",
  "object_type": "webhook"
}
401 Unauthorized — missing or invalid credentials.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
403 Forbidden — token does not have sufficient scope.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}
404 Not found.
{
  "code": "rest_webhook_not_found",
  "message": "Webhook not found.",
  "data": null
}

example request

curl -X GET "https://your-site.com/wp-json/fswa/v1/activity/id" \
  -H "X-FSWA-Token: your-token"
Ready

Your next automation is
one sentence away.

$ wp plugin install flowsystems-webhook-actions --activate